z/OS ICSF for TSS STIG Version Comparison

There are 1 differences between versions v6 r5 (July 27, 2018) (the "left" version) and v6 r7 (Oct. 27, 2021) (the "right" version).

Check ZICS0040 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Title

IBM Integrated Crypto Service Facility (ICSF) Configuration parameters must be correctly specified.

Check Content

Refer to the CSFPRMxx member in the logical PARMLIB concatenation. If the configuration parameters are specified as follows this is not a finding. REASONCODES(ICSF) COMPAT(NO) SSM(YES) CHECKAUTH(YES) FIPSMODE(YES,FAIL(NO)) AUDITKEYLIFECKDS finding. REASONCODES(ICSF) COMPAT(NO) SSM(NO) SSM can be dynamically set by defining the CSF.SSM.ENABLE SAF profile within the XFACILIT resource Class. If this profile is not limited to authorized personnel this is a finding. CHECKAUTH(YES) FIPSMODE(YES,FAIL(YES)) AUDITKEYLIFECKDS (TOKEN(YES),LABEL(YES)). AUDITKEYLIFEPKDS (TOKEN(YES),LABEL(YES)). AUDITKEYLIFETKDS (TOKENOBJ(YES),SESSIONOBJ(YES)). AUDITKEYUSGCKDS (TOKEN(YES),LABEL(YES),INTERVAL(n)). AUDITKEYUSGPKDS (TOKEN(YES),LABEL(YES),INTERVAL(n)). AUDITPKCS11USG (TOKENOBJ(YES),SESSIONOBJ(YES),NOKEY(YES),INTERVAL(n)). DEFAULTWRAP should -This parameter can be determined by the site. ENHANCED wrapping specifies the new X9.24 compliant CBC wrapping is used. If DEFAULTWRAP is not specified, the default wrapping method will be specified. Note: ORIGINAL for both internal and external tokens. Starting with ICSF FMID HCR77C0, the value for this option can be updated without restarting ICSF by using either the SETICSF command or the ICSF Multi-Purpose service. If this access is not restricted to appropriate personnel, this is a finding. (Note: Other options may be site defined.

Discussion

IBM Integrated Crypto Service Facility (ICSF) product has the ability to use privileged functions and/or have access to sensitive data. Failure to properly configure parameter values could potentially the integrity of the base product which could result in compromising the operating system or sensitive data.

Fix

Evaluate the impact associated with implementation of the control options. Develop a plan of action to implement the control options for CSFPRMxx as specified below: REASONCODES(ICSF) COMPAT(NO) SSM(YES) CHECKAUTH(YES) FIPSMODE(YES,FAIL(NO)) AUDITKEYLIFECKDS below: REASONCODES(ICSF) COMPAT(NO) SSM(NO) SSM can be dynamically set by defining the CSF.SSM.ENABLE SAF profile within the XFACILIT resource Class. This profile must limited to authorized personnel. CHECKAUTH(YES) FIPSMODE(YES,FAIL(YES)) AUDITKEYLIFECKDS (TOKEN(YES),LABEL(YES)). AUDITKEYLIFEPKDS (TOKEN(YES),LABEL(YES)). AUDITKEYLIFETKDS (TOKENOBJ(YES),SESSIONOBJ(YES)). AUDITKEYUSGCKDS (TOKEN(YES),LABEL(YES),INTERVAL(n)). AUDITKEYUSGPKDS (TOKEN(YES),LABEL(YES),INTERVAL(n)). AUDITPKCS11USG (TOKENOBJ(YES),SESSIONOBJ(YES),NOKEY(YES),INTERVAL(n)). DEFAULTWRAP (TOKENOBJ(YES),SESSIONOBJ(YES),NOKEY(YES),INTERVAL(n)). DEFAULTWRAP should -This parameter can be determined by the site. ENHANCED wrapping specifies the new X9.24 compliant CBC wrapping is used. If DEFAULTWRAP is not specified, the default wrapping method will be specified Note: ORIGINAL for both internal and external tokens. Starting with ICSF FMID HCR77C0, the value for this option can be updated without restarting ICSF by using either the SETICSF command or the ICSF Multi-Purpose service. This access must be restricted to appropriate personnel. Note: Other options may be site defined.